The Indian Computer Emergency Response Team (CERT-In) has issued a medium severity alert for Bad Rabbit, a ransomware that spread in Ukraine, Bulgaria, Turkey and Japan. A major portion of the targets were in Russia. The ransomware infects a machine by pretending to be an Adobe Flash Installer, then spreads through the network though open server message block shares, dropping malware through a hardcoded list of credentials.

Image: Max Pixel

The Mimikatz post exploitation tool is used to retrieve credentials from the target systems. Bad Rabbit uses DiskCryptor to encrypt the entire drive with RSA 2048 keys, it also encrypts individual files. Bad Rabbit then demands a 0.05 bitcoin payment to allow the users to access the files, with a countdown timer, after which the ransom amount is increased. CERT-In recommends keeping the software and operating system updated, regularly backing up critical data in air gapped drives, disabling SMB, activating the anti-ransomware folder protection feature in Windows 10, and blocking the execution of \windows\infpub.dat and c:\Windows\cscc.dat.

The ransomware spreads by exploiting critical remote code execution vulnerabilities fixed by the Microsoft Security Bulletin MS17-010. Bad Rabbit uses EternalRomance, an NSA tool leaked by a hacking collective known as the ShadowBrokers. The same cluster of tools were used in a number of high profile malware attacks, including the WannaCry ransomware, A cryptocurrency miner known as Adylkuzz, a ransomware that primarily spread in China called UIWIX, and NotPetya which was a massive cyberattack campaign designed to destroy data disguised as a malware.

According to research by ESET, 65 percent of the affected systems were in Russia, with only 2.4 percent of the infections occurring outside Russia, Ukraine, Turkey, Bulgaria or Japan. Many of the systems were affected at the same time, which indicates that the attackers already had a foothold inside the companies. Both ESET and and Cisco's Talos intelligence confirm that there are no indications that Bad Rabbit is using the EternalBlue exploit, despite reports. According to Talos, Bad Rabbit is built on the same code base as the Nyetya malware and that the authors of Nyetya and Bad Rabbit are the same. According to Kaspersky's SecureList, Bad Rabbit is a previously unknown malware family and analysis of the code shows similarities between Bad Rabbit and the ExPetr malware.

A screenshot of the ransomware. Image: ESET.

The scheduled tasks are named after dragons from The Game of Thrones, and are called viserion_, rhaegal and drogon. The hard coded passwords for dropping the malware is a rather weak list, with god, sex, love and secret right on top. This is a reference to the 1995 movie, Hackers.